John Stile wrote:
On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
Now users are prompted for a password when accessing shares, but no password
works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem.
-------------------------------
These commands succeed:
wbinfo -u, wbinfo -g getent passwd
getent group
net ads info Time is within 2 seconds between 'net time' and 'date'
-------------------------------
Running winbind in interactive mode while trying to connect, winbindd -S -i -F -d 8 -Y
The end of the output (as there is a lot) looks like this:
...
remove_duplicate_gids: Enter 5 gids
remove_duplicate_gids: Exit 5 gids
[ 6411]: gid to sid 10001
[ 6411]: gid to sid 10066
[ 6411]: gid to sid 10067
[ 6411]: gid to sid 10265
[ 6411]: gid to sid 10274
read failed on sock 20, pid 6411: EOF
read failed on sock 19, pid 6411: EOF
-------------------------------
/etc/samba/smb.conf [global]
server string = Samba Server
workgroup = MYREALM
realm = MYREALM.MY.DOMAIN.COM
security = ADS
username map = /etc/samba/smbusers
map to guest = Bad User
password server = *
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
os level = 33
wins server = 128.32.68.75 128.32.67.118
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = Yes
template primary group = "Domain Users"
template homedir = /home/%U
template shell = /bin/bash
load printers = no
log level = 1
syslog = 0
log file = /var/log/samba/%m.log
max log size = 0
-------------------------------
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
------------------------------
I'm also seeing errors in /var/log/samba/winbindd.log [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
what does your /etc/krb5.conf look like?
Christian
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
